First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

PIPEDA

Department of Finance releases consultation paper on new retail payments oversight framework

On July 7, 2017, the Department of Finance issued the consultation paper “A New Retail Payments Oversight Framework” (the “Consultation Paper”) proposing a federal oversight framework for retail payments. Comments on the Consultation Paper are due October 6, 2017.

 

, , , , ,

The global reach of Canadian privacy law: Federal court issues landmark ruling in Globe24h

With the global reach of the internet and ease with which information may now be disseminated, this decision therefore may provide corporations and individuals with an effective avenue to pursue foreign-based entities and enforce their rights with respect to disputes involving illegal, defamatory or malicious online activity originating abroad.

 

, , , , , , , , , , , , , , , , , , , , , , , ,

The right to be forgotten has a three-piece suit tailor-made in Canada? From Quebec to British Columbia

This article aims to situate the debate on the right to be forgotten in light of three major precedents, which apparently evolved in isolation (in different provinces, distinct jurisdictions) and yet have everything in common. Indeed, the right to be forgotten is perhaps not as bare as we have been told; we might even go so far as to say that, for the moment, it has a three-piece suit tailor-made in Canada.

 

, , , , , , , , , , , , , , , , , , , , , , , ,

Cybersecurity in a post-Ashley Madison world

In a recent key finding, PIPEDA Report of Findings #2016-005 – Joint investigation of Ashley Madison, the Office of the Privacy Commissioner of Canada provided crucial guidance to organizations in relation to information protection and cybersecurity.

 

, , , , , , , , , ,

Defending a lawsuit is not a “commercial activity” under privacy legislation

In a case dating back to 2016 but just recently published, the Office of the Privacy Commissioner of Canada has ruled that the collection and use of a plaintiff’s personal information for the purpose of defending against a civil lawsuit is not a “commercial activity” and, as such, the Personal Information Protection and Electronic Documents Act does not apply.

 

, , , ,

Lawful access: The Privacy Commissioner reiterates its position

Patricia Kosseim, Senior General Counsel and Director General, Legal Services, Policy, Research and Technology Analysis for the Office of the Privacy Commissioner of Canada, was asked, at the request of Commission’s counsel, to provide an overview of the legislation for protecting privacy in Canada and to answer questions about lawful access issues from a federal perspective.

 

, , , , , , , , ,

Privacy law: The Supreme Court of Canada’s Royal Bank of Canada v. Trang

The Supreme Court of Canada released a landmark decision giving important guidance on when personal financial information may be disclosed under Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act.

 

, , , , , ,

Cybersecurity best practices for connected cars

Some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC) by a group of US automakers in July of 2014. The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.

 

, , , , , , , , , , , , , , ,

Public Safety Canada calls for submissions on new national cybersecurity strategy

On August 16, 2016, Public Safety Canada (“PSC”) issued a consultation paper, launching a public consultation as part of PSC’s development of an updated national cybersecurity strategy. The consultation will close on October 15, 2016. Businesses may want to consider making submissions in respect of some key questions posed around possible regulation or standard-setting regarding Internet of Things and connected devices, certification for E-commerce activities, and information sharing (especially in respect of critical infrastructure).

 

, , , , , , , , , , , , , ,

Pension and benefit plan provider breaches privacy law causing employee to lose life insurance coverage

Many of us have called service providers to change basic information, such as a mailing address. You pick up the phone, speak to a representative, and the change is made; no big deal, right? This seamless scenario may not always be the case. Any little misstep on an organization’s part can cause grief not only for the customer, but also for the organization itself. This proved to be true when an employee complained, to the Office of the Privacy Commissioner of Canada, that her employment pension and benefit provider disclosed her personal information to a third party without her consent.

 

, , , , , , , , , , ,

U.S. online payment processor Dwolla fined $100,000 for misrepresenting data security practices: Lessons for Canadian companies

In March, 2016 the U.S. Consumer Financial Protection Bureau (“CFPB”) issued a Consent Order against Dwolla Inc., an online payment platform, for deceiving consumers about its information security practices. The CFPB levied a $100,000 civil monetary penalty against the company, a first for the CFPB. While Canada has different privacy and consumer protection regimes, the lessons from the Dwolla case point to a new direction in enforcement approaches.

 

, , , , , , , , , , , , , ,

Private right of action under Canada’s Anti-Spam Law (CASL)

As of July 1, 2017, individuals and organizations will be entitled to institute a “private right of action” before the courts against those that contravene certain provisions of Canada’s Anti-Spam Law (“CASL”). In the event of a contravention of the message rules in CASL, a monetary penalty up to a maximum of $1,000,000 per day may be imposed. This private right of action should be taken seriously right now. From this perspective and building on previous publications, this bulletin discusses this new mechanism.

 

, , , , , , , , ,

Attempt to fix email issue causes privacy issue

A recent privacy complaint was filed against a telecommunications company under PIPEDA regarding frequent email problems.

 

, , , , , , , ,

New PIPEDA data breach regulations proposed

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed. The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations.

 

, , , , , , , , ,

Ransomware threat to Canadian businesses broadens

Recent hacker attacks — including the first successful attack on an Apple computer, and several attacks on U.S. and Canadian hospitals — have reminded Canadian businesses of the need to be vigilant about the danger posed by ransomware.

 

, , , , , , , , , , , , , , ,

Previous Posts